Gadget

Get your passwords in shape for 2019

Many of us have entered the new year with a boat load of New Year’s resolutions.  Doing more exercise, fixing unhealthy eating habits and saving more money are all highly respectable goals, but could it be that they don’t go far enough in an era with countless apps and sites that scream for letting them help you reach your personal goals.

Now, you may want to add a few weightier and yet effortless habits on top of those well-worn choices. Here are a handful of tips for ‘exercises’ that will go good for your cyber-fitness.

I won’t pass up on stubborn passwords

Passwords have a bad rap, and deservedly so: they suffer from weaknesses, both in terms of security and convenience, that make them a less-than-ideal method of authentication.  However, much of what the internet offers is independent on your singing up for this or that online service, and the available form of authentication almost universally happens to the username/password combination.

As the keys that open online accounts (not to speak of many devices), passwords are often rightly thought of as the first – alas, often only – line of defence that protects your virtual and real assets from intruders. However, passwords don’t offer much in the way of protection unless, in the first place, they’re strong and unique to each device and account.

But what constitutes a strong password?  A passphrase! Done right, typical passphrases are generally both more secure and more user-friendly than typical passwords. The longer the passphrase and the more words it packs the better, with seven words providing for a solid start. With each extra character (not to mention words), the number of possible combinations rises exponentially, which makes simple brute-force password-cracking attacks far less likely to succeed, if not well-nigh impossible (assuming, of course, that the service in question does not impose limitations on password input length – something that is, sadly, far too common).

Click here to read about making secure passwords by not using dictionary words, using two-factor authentication, and how biometrics are coming to browsers.

I’ll have no sympathy for the passphrase-cracker

Another caveat is that it’s better to refrain from phrases that have made it into the everyday lexicon. Entire books, famous quotes, or lyrics – sing, ‘Pleased to meet me, hope you guess my name’ as a bit of an extreme example that is not to be taken literally – already tend to be part of the fodder of password-cracking tools. The individual words should be in random order and, ideally, sprinkled with special characters and character substitution, all the while retaining a hidden meaning and memorability to its creator.

Then, of course, there is need for each passphrase to be distinct for each account, so that a leak of one of your passphrases doesn’t reverberate through your other and possibly more valuable accounts. Alas, the dangerous practice of password recycling is ubiquitous, and attackers can exploit it hands-down with an automated technique known as ‘credential stuffing’.

It’s quite likely that you use too many online accounts to remember a distinct passphrase for each of them. In which case, it’s worth considering a reputable vault/manager that encrypts your password storage and takes away much of the pain that password management involves. Of course, such a tool can also generate randomised and complex passwords and passphrases for you.

While then you should need to remember only one master password that, ultimately, opens all your online accounts, the pressure will be on the sturdiness and uniqueness, of this one key to your digital kingdom – so it’s back to the suggestions above.

I won’t skip the second step

Another trouble with passwords/passphrases may arise when they are not only the first, but the only line of defence for your account security. When the barrier crumbles – commonly through a phishing attack or by attackers somehow working out your login details – an extra authentication factor that does not rely on ‘something you know’ may very well foil your adversaries.

Two-factor authentication (2FA), or multi-factor authentication (MFA), is an excellent way of boosting the security of your accounts, especially when coupled with hardware keys or dedicated apps, and less so with SMS-borne 2FA. Although many online services provide 2FA options, few require its use. However, the adoption of 2FA has been on the rise and it’s never been easier to jump on the practice. Regardless, if its implementation, signing up for 2FA whenever you can is well worth the little extra effort, as it can help in various scenarios, including when you never fell prey to a cyberattack compromising any of your passwords.

In fact, it’s quite probable that some of your authentication details will be, or have already been, stolen and posted online or made available for sale on underground marketplaces.  The source of these password leaks includes the many security breaches that have blighted online services, retailers, hotel chains and the like.  Additionally, the targeted entity may have protected the user’s passwords with weak hashing and salting functions, or even stored the passwords in plain text. Worse still, the service provider, let alone you, may not know until quite a while later that hackers pilfered the often poorly secured data, or purchased them on the dark web, so you had no shot at taking any ad-hoc defensive measures. Again, this is also where the extra authentication factor will usually thwart any account-takeover attempts.

Click here to find out about preventative measures to keep your data safe, and how biometrics are coming to web browsers.

I’ll use fewer passwords

Surely a mistake, right? Well, it may sound counterintuitive, but fixing your passwords may also imply needing fewer of them in the first place. More precisely, it means cutting ties with the services you no longer use, so that you needn’t ‘look after’ your accounts with them.  We’ll all have set up accounts that we no longer use. Indeed, we may have racked up quite a few of them over the years, including some that we barely remember. However, the adage ‘the internet never forgets’ fits here too, and forgetting is something you shouldn’t do, either.

The trouble with unused accounts is that each of them – even if only a vestige of your much younger self – is a potential source of danger. The service may suffer a breach exposing your password or may be sold to new owners whose intentions might not exactly be honest. Or, if miscreants take over your account, they might be able to use it to break into one of your highly valued accounts, be it gathering private information about you, or through your failing to use a unique password for each account. Or they can just as well use it to spew out spam.

But what doesn’t exist can’t be taken over, can it? Feel no remorse: just dispatch those accounts to a better place and never look back.  There are even services that promise to scale back your online footprint in bulk; that is, without you having to recall or comb through and then manually shut down each inactive account.  Using a service just to help kill online account may not be for everybody, however, as essentially you need to take the developers of such tools at their word.

While you’re cutting the clutter, consider severing ties also with third-party apps and services that are associated with your accounts on social and other major sites, especially the apps that you no longer use. These apps, too, can be misused as other entry points for illicit data collection or even worse. To pull the plug on their access to your account and data, navigate to the privacy and/or security settings of your online service(s) of choice; from there, it usually takes only a click or two.

Next step

Staying safe online isn’t going to become any easier this year, and we’ll be back in a few days with more tips for beefing up your personal security. Next time, we’ll focus mainly on a couple of easy ways to boost the security of your wireless network.

Click here to find out how biometerics are coming to web browsers.

Meanwhile, the International Telecommunication Union has approved two new international standards to overcome the security limitations of passwords, addressing biometric authentication on mobile devices and the use of external authenticators, such as mobile devices, to authenticate Web users.

The new standards are under the responsibility of the ITU standardisation expert group for security, ITU-T Study Group 17.

The specifications were submitted to ITU by the FIDO Alliance (‘Fast Identity Online’), an industry consortium focused on developing open specifications for interoperable strong user authentication leveraging public key cryptography. The approval of the FIDO specifications as ITU international standards is expected to stimulate their adoption globally.

FIDO UAF 1.1 (Universal Authenticator Framework 1.1) – standardised as ITU X.1277 – supports advanced biometric authentication on mobile devices.

CTAP (Client-to-Authenticator Protocol) – standardised as ITU X.1278 – enables the use of external authenticators such as FIDO security keys and mobile devices to authenticate Web users over USB (Universal Serial Bus), NFC (Near-field communication) and BLE (Bluetooth® Low Energy).

CTAP and W3C’s Web Authentication specification (WebAuthn) together comprise the FIDO2 specifications.

ITU and FIDO collaboration

“ITU-T Study Group 17 will continue to strengthen its collaboration with the FIDO Alliance,” said Heung Youl Youm, Chairman of ITU-T Study Group 17. “These two FIDO Alliance specifications, adopted as ITU standards recently, are being widely used in various industries such as the financial sector to provide strong online authentication based on public key cryptography and various user verification methods. These new ITU standards will provide a concrete basis for the two FIDO specifications to be adopted across the 193 ITU Member States.”

“Our working group within ITU-T Study Group 17 was pleased to be able to collaborate with the FIDO Alliance to promote the standardisation of state-of-the-art security technologies,” said Abbie Barbir, Rapporteur for ITU’s working group on ‘Identity management architecture and mechanisms’ (Q10/17). “This work will help address and solve the security limitations of passwords.”

Brett McDowell, executive director of the FIDO Alliance, said: “The FIDO Alliance is working to improve online authentication through open standards based on public key cryptography that make authentication stronger and easier to use than passwords or OTPs. One of the ways that we fulfill this mission is by submitting our mature technical specifications to internationally recognised standards groups like ITU-T for formal standardisation. This recognition from ITU-T, arguably the highest bar in ICT standardisation, illustrates the maturity of FIDO authentication technology and complements our web standardisation work with the World Wide Web Consortium (W3C).”

Exit mobile version